Several folks who attend both the American Society for Testing and Materials (ASTM) and the Object Management Group (OMG) meetings see great opportunities for collaboration between the OMG Healthcare Domain Task Force (HDTF) and the ASTM Healthcare Informatics E31 Committee. It was proposed that the OMG Resource Access Decision specification be brought forward to ASTM for adoption as a standard.
Why do folks believe access control is important?
The lack of a framework to support fine-grain access controls required by “application-level” security is a well-known problem. The problem is not specific to healthcare but the complexity of the problem in the healthcare environment is escalated by the need to ensure privacy and confidentiality of clinical information. Today’s commercial authorization products need to address the sophisticated access control policies required by the healthcare industry.
For example, security policy may need to be based on transient relationships such as “attending physician” or individual elements of patient records such as “HIV test results.” This has forced healthcare software vendors to develop proprietary access control mechanisms, known as security policy engines, as part of their healthcare products. This has several implications:
It puts the responsibility for defining the capabilities of security policy for an enterprise with the healthcare vendor and not the customer. This requires all customers of a vendor product to use a common security policy model to control secured resources
The proliferation of healthcare organizations, products, policy engines, and security policy implementations makes it difficult to administer and maintain an enterprise-wide security policy
It forces healthcare software providers to develop security architectures that may not be their core competency. This, in turn, detracts from their primary business mission
Security is a complex problem. The commonality of business domain tasks and security requirements across healthcare computing environments promotes and requires exercising fine-grained access control policies in a uniform and standard way. Access control is only one aspect of the security domain and to fully address the requirements of healthcare industry solutions that integrate auditing, non-repudiation, and notification of security breaches.
Healthcare vendors are increasingly asked to be security vendors, driving up the cost of solutions. The healthcare industry must integrate existing security architectures, technologies and products and not continue to develop proprietary security solutions.
How can RAD Help?
RAD addresses these problems, providing a uniform way for application systems to enforce resource-oriented access control policies. RAD was designed by security specialists to address the requirements of the healthcare industry. By standardizing this service, we enable the healthcare organization to define and administer an enterprise security policy consistently across systems.
The RAD service provides:
- The ability to leverage existing security standards, such as Kerberos, SSL, PKI
- Secure interoperability across distributed technology environments (OSF/DCE, CORBA, LDAP)
- For the identification of caregivers’ privileges
- Commercial vendor support by companies specializing in security solutions
- Ability to maintain security policy without the need to modify healthcare applications
- Security administrators the ability to dynamically maintain and enforce security policies as they evolve
- The ability to leverage the power of “componentization”: the separation of security policy from the healthcare applications
- A simple, standardized interface that product vendors use to request access control decisions
As a way of moving consideration for this objective forward, and with the concurrence of the E31.20 Chair Dr. Ted Cooper, OMG representatives were invited to attend the E31.20 working group sessions to be held in Boston Saturday May 12 from 8:00-11:30 AM making a portion of the time available for discussing collaboration. The objectives being:
- To discuss/formalize this collaboration
- Make ASTM membership aware of this exceptional opportunity
- To identify the follow-on process and people on both sides necessary to meet our goal
As a Result
Jon Farmer of Care Data Systems and Jon Siegel of the OMG presented the OMG’s HDTF Standard “RAD” at the 12 May 2001 ASTM E31.20 Working Group Session in Boston, MA.
Conclusions from the meeting
- OMG is a certified ISO PAS (Publically Available Specifications) submitter and many OMG specifications are also ISO standards
- RAD only recently adopted however is just in the process of moving through the ISO PAS process via ISO TC215, which, even though the PAS process is speedy will take some time to establish
- OMG believes that this standard would have more impact if it were also an ASTM E31.20 standard
- The copyright is owned by the companies that developed and submitted it to OMG, which has impact on change control. However, OMG would make it available for ASTM to sell copies, with no royalties due to OMG, as it has done with ISO
- There was consensus that an ASTM implementation guide for it would be valuable. Ted will ask Dan Smith (ASTM E31 staff manager) to explore a formal arrangement with OMG for work on this